CSSCurrent de:Microsoft Exchange Online auf Cryptshare Appliances: Unterschied zwischen den Versionen

Introduction

The Cryptshare Appliance sends notification emails when updates to the underlying OpenSuse components are available. For this, a local postfix is installed that is usually configured by the Cryptshare Server. However, this is only automatically done, when a regular SMTP server is used as a target for the local postfix. In case, Microsoft Exchange Online is used together with OAuth 2.0 authentication, then the configuration of postfix has to be done manually.

Set-up

Placeholder values that have to be filled by you, are marked with <...>, e.g. replace <your-domain> with domain.com

Installing Postfix

Download the sasl-xoauth2-0.25.0.x86_64.rpm from here and upload it to your virtual machine.

zypper install postfix

echo "<your-domain.com>" > /etc/mailname

zypper install sasl-xoauth2-0.25-0.x86_64.rpm

In case you receive a warning that the rpm file is not signed, press i to ignore this warning.

Create a dummy certificate for Postfix

Postfix requires a dummy certificate for its connection to Exchange.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem

You can create this certificate with arbitrary dummy values.

Configuring Postfix

Open the file /etc/postfix/main.cf

vim /etc/postfix/main.cf

Configure the main.cf file to refer to the correct domain and hostnames, e.g.:

myorigin = /etc/mailname

biff = no

append_dot_mydomain = no

delay_warning_time = 0h

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_always_send_ehlo = yes
smtp_tls_security_level=encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = <hostname>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, , <hostname>, localhost.localhost, localhost
relayhost = [smtp.office365.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options =
smtp_sasl_mechanism_filter = xoauth2
smtp_tls_security_level = encrypt
smtp_generic_maps = hash:/etc/postfix/generic

• Set up the postfix generic touch /etc/postfix/genericpostmap /etc/postfix/generic
• Create the directory where the OAuth token will be stored: mkdir -p /var/spool/postfix/etc/tokens

• Set permissions so that Postfix can read the token: chown -R postfix:postfix /var/spool/postfix/etc/tokens

• Restart the Postfix service: systemctl restart postfix

• Copy the CA certificates into the chroot environment (⚠️ this file is cleared on each Postfix restart): cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt

• Create the /etc/postfix/sasl_passwd file with the contents:

[smtp.office365.com]:587 <sendermail>:/etc/tokens/<sendermail>

e.g.:

[smtp.office365.com]:587 john.doe@domain.com:/etc/tokens/john.doe@domain.com

and set permissions chmod 600 /etc/postfix/sasl_passwd

• Generate the hashed SASL password database: postmap /etc/postfix/sasl_passwd

(Optional) Automate Certificate Copy with systemd

As we've seen, every time the Postfix service starts, it clears the file /var/spool/postfix/etc/ssl/certs/ca-certificates.crt. Instead of copying it manually each time, you can edit the systemd service to do this automatically on startup.

• Edit the postfix.service override configuration:

systemctl edit postfix.service

• Add the following override to copy the certificate after Postfix starts:

### Editing /etc/systemd/system/postfix.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Service]
ExecStart=/usr/bin/cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt

### Lines below this comment will be discarded

### /lib/systemd/system/postfix.service
# [Unit]
# Description=Postfix Mail Transport Agent
# Documentation=man:postfix(1)
# Conflicts=sendmail.service exim4.service
# ConditionPathExists=/etc/postfix/main.cf
# 
# [Service]
# Type=oneshot
# RemainAfterExit=yes
# ExecStart=/bin/true
# ExecReload=/bin/true
# 
# [Install]
# WantedBy=multi-user.target

Note: Don’t forget to run systemctl daemon-reload after editing if it's not done automatically.

Generate an OAuth Token

• Edit the /etc/sasl-xoauth2.conf file with the following parameters:
  • client_id: Application (Client) ID
  • client_secret: Leave this field empty
  • <TENANT_ID>: Tenant ID
  • log_full_trace_on_failure: (Optional) enable detailed logging on failure
  • log_to_syslog_on_failure: (Optional) log errors to syslog

Here is an example configuration for /etc/sasl-xoauth2.conf using your application and tenant IDs:

{
  "client_id": "<CLIENT_ID>",
  "client_secret": "",
  "log_full_trace_on_failure": "yes",
  "log_to_syslog_on_failure": "no",
  "token_endpoint": "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token"
}

"client_id": "2105063f-f128-4060-96fc-18d5de605999",
 "client_secret": "",
 "log_full_trace_on_failure": "yes",
 "log_to_syslog_on_failure": "no",

  "token_endpoint": "https://login.microsoftonline.com/365a21da-ebd9-4e7a-af3a-95844dfa91bb/oauth2/v2.0/token"

• Generate the OAuth token using the following command:
  • postfix@std.rocks: outlook 365 account
  • --client-id: Application ID
  • --tenant: Tenant ID

root@host:~# sasl-xoauth2-tool get-token outlook /var/spool/postfix/etc/tokens/postfix@std.rocks --client-id="<CLIENT_ID>" --use-device-flow --tenant="<TENANT_ID>"

The command will prompt you to authenticate via browser. You will see a message like this:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXXX to authenticate.

• Follow the instructions: open https://microsoft.com/devicelogin in your browser and enter the provided code. Log in using the dedicated Postfix account. An administrator will need to approve the permission request. (⚠️Make sure to sign in with your Office 365 Postfix account, otherwise the token you receive will not allow you to send emails.⚠️)
• If everything is successful, the tool will return: Acquired token.
  • You should now see a token file created in the configured directory: root@host:~# ls -lh /var/spool/postfix/etc/tokens/total 4,0K -rw-r--r-- 1 root root 3,5K 13 juil. 15:31 <sendermail>
  • Test your OAuth token file using the test-token-refresh option: root@host:~# sasl-xoauth2-tool test-token-refresh /var/spool/postfix/etc/tokens/<sendermail>
  • If the token is valid and refreshable, the tool will return: Config check passed.Token refresh succeeded.

Test and Debug

Test the Email Relay with sendmail

Your relay should now be operational. To test the setup from the relay host, you can use the sendmail command directly from the terminal.

• Create a test message file:

From: <sender-mail>To: <recipient-mail>Subject: Test message

Does it work?

• Send the email using sendmail: root@host:~# cat /tmp/test.txt | sendmail -F <sender-mail> <recipient-mail>